b"                                                                               Appendix A\n\n\n\n\nNATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n              INDEPENDENT EVALUATION OF THE\n           NATIONAL CREDIT UNION ADMINISTRATION\n              INFORMATION SECURITY PROGRAM\n                           2006\n\n         Report #OIG-06-05                September 29, 2006\n\n\n\n\n                              William A. DeSarno\n                              Inspector General\n\n\n    Released by:                            Auditor-in-Charge:\n\n\n\n    James Hagen                            Tammy F. Rapp, CPA, CISA\n    Asst IG for Audits                     Sr Information Technology Auditor\n\n\n\n\n                         LIMITED OFFICIAL USE ONLY\n\x0c            INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                          INFORMATION SECURITY PROGRAM - 2006\n                                    Report #OIG-06-05\n\n                                        CONTENTS\n\nSection                                                                          Page\n\n   I      EXECUTIVE SUMMARY                                                        1\n\n  II      BACKGROUND                                                               3\n\n  III     OBJECTIVE                                                                4\n\n  IV      METHODOLOGY AND SCOPE                                                    4\n\n  V       RESULTS IN DETAIL                                                        5\n\n               Sensitive Credit Union Data                                         5\n\n               Privacy Impact Assessments                                          6\n\n               Certification and Accreditation                                     8\n\n               Account Reconciliation                                              9\n\n               Account Security Configuration                                     10\n\n               Personnel Security Awareness                                       12\n\n               Security Documentation                                             12\n\n               E-Authentication Risk Assessments                                  13\n\n               Security Configuration Guides                                      14\n\n               Continuity of Operations Plan                                      15\n\n               Disaster Recovery Testing                                          17\n\n               System Restoration Priorities                                      17\n\n               Physical Security                                                  18\n\n               Incident Response Training                                         18\n\n               Plan of Action and Milestones (POA&M)                              19\n\n\n\n\n                             LIMITED OFFICIAL USE ONLY\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n                               I. EXECUTIVE SUMMARY\nThe Office of Inspector General (OIG) for the National Credit Union Administration (NCUA)\nengaged Grant Thornton LLP to conduct an independent evaluation of its information systems\nand security program and controls for compliance with the Federal Information Security\nManagement Act (FISMA), Title III of the E-Government Act of 2002.\n\nGrant Thornton evaluated NCUA\xe2\x80\x99s security program through interviews, documentation reviews,\nand sample testing. We evaluated NCUA against standards and requirements for federal\ngovernment agencies such as those provided through FISMA, National Institute of Standards\nand Technology (NIST) Special Publications (SPs) and Federal Information Processing\nStandards (FIPS), and Office of Management and Budget (OMB) memorandums. We\nconducted an exit conference with NCUA officials on September 6, 2006, to discuss evaluation\nresults.\n\nThe NCUA made noticeable progress in strengthening its Information Technology (IT) security\nprogram during Fiscal Year (FY) 2006. Notable accomplishments include:\n\n   \xe2\x80\xa2   Significant strides in remediation of the significant deficiency noted in the FY2005 report\n       by deploying encryption software to improve security of information stored on examiners\xe2\x80\x99\n       laptop computers, and\n   \xe2\x80\xa2   Completion of the Accreditation package for the NCUA General Support System (GSS).\n\nWhile NCUA has made commendable progress in eliminating the significant deficiencies\nreported last year, our review this year identified the following weaknesses in IT security\ncontrols that deserve immediate management attention:\n\n   \xe2\x80\xa2   Procedures requiring the use of cryptographic security measures for sensitive financial\n       and Personally Identifiable Information (PII) need better enforcement, and Privacy\n       Impact Assessments (PIA) for its systems needs to be developed.\n\n   \xe2\x80\xa2   Certification and accreditation (C&A) of all NCUA systems needs to be completed.\n\n   \xe2\x80\xa2   Password and user account security configurations need improvement, including regular\n       user account reconciliations.\n\n   \xe2\x80\xa2   Personnel security awareness training program needs to be fully implemented.\n\nWe also noted the following other weaknesses in IT security controls that management should\nconsider:\n\n   \xe2\x80\xa2   Security planning documentation needs improvement in consistent version control,\n       revisions/updates, and dissemination to required officials.\n\n   \xe2\x80\xa2   E-Authentication risk assessments should be developed for NCUA\xe2\x80\x99s systems.\n\n   \xe2\x80\xa2   Security configuration guides need to be developed.\n\n   \xe2\x80\xa2   Continuity of Operations Plan (COOP) and Disaster Recovery procedures need to be\n       more consistently updated and tested including the regular testing of NCUA\xe2\x80\x99s Disaster\n\n                                LIMITED OFFICIAL USE ONLY\n                                            1\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n        Recovery and system contingency plans. In addition, restoration priorities related to\n        system impact ratings need to be consistently applied and documented.\n\n    \xe2\x80\xa2   Physical security measures need to be consistently enforced.\n\n    \xe2\x80\xa2   Regular incident response training needs to be conducted.\n\n    \xe2\x80\xa2   NCUA\xe2\x80\x99s Plan of Actions and Milestones (POA&M) process needs improvement.\n\nWe appreciate the courtesies and cooperation provided to our auditors during this audit.\n\n.\n\n\n\n\n                               LIMITED OFFICIAL USE ONLY\n                                             2\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n                                     II. BACKGROUND\nThis section provides background information on FISMA and NCUA.\n\nFEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\nThe President signed into law the E-Government Act (Public Law 107-347), which includes Title\nIII, Information Security, on December 17, 2002. FISMA permanently reauthorized the\nframework laid out in the Government Information Security Reform Act of 2000 (GISRA), which\nexpired in November 2002. FISMA continues annual review and reporting requirements\nintroduced in GISRA. In addition, it includes new provisions aimed at further strengthening the\nsecurity of the federal government\xe2\x80\x99s information and information systems, such as development\nof minimum standards for agency systems. In general, FISMA:\n\n       \xe2\x80\xa2       Lays out a framework for annual information technology security reviews,\n               reporting, and remediation plans.\n\n       \xe2\x80\xa2       Codifies existing OMB security policies, including those specified in Circular A-\n               130, Management of Federal Information Resources, and Appendix III.\n\n       \xe2\x80\xa2       Reiterates security responsibilities outlined in the Computer Security Act of 1987,\n               Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996.\n\n       \xe2\x80\xa2       Tasks NIST with defining required security standards and controls for federal\n               information systems.\n\nOMB issued the 2006 Reporting Instructions for the Federal Information Security Management\nAct on July 17, 2006. This document provides clarification to agencies for implementing,\nmeeting, and reporting FISMA requirements to OMB and Congress.\n\nNATIONAL CREDIT UNION ADMINISTRATION\n\nNCUA is the independent federal agency that charters, supervises, and insures the nation\xe2\x80\x99s\nfederal credit unions, and it insures many state-chartered credit unions as well. NCUA is funded\nby the credit unions it supervises and insures. NCUA's mission is to foster the safety and\nsoundness of federally-insured credit unions and to better enable the credit union community to\nextend credit for productive and provident purposes to all Americans, particularly those of\nmodest means.\n\nNCUA strives to ensure that credit unions are empowered to make necessary business\ndecisions to serve the diverse needs of its members and potential members. It does this by\nestablishing a regulatory environment that encourages innovation, flexibility, and a continued\nfocus on attracting new members and improving service to existing members.\n\nNCUA has a full-time three-member board appointed by the President of the United States and\nconfirmed by the Senate. The Board consists of a chairman, vice chairman, and member. No\nmore than 2 board members can be from the same political party, and each member serves a\nstaggered 6-year term. NCUA\xe2\x80\x99s board regularly meets in open session each month with the\nexception of August, in Alexandria, Virginia. In addition to its central office in Alexandria, NCUA\nhas five regional offices and the Asset Management and Assistance Center (AMAC).\n\n                               LIMITED OFFICIAL USE ONLY\n                                             3\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2006\n                                      Report #OIG-06-05\n\n                                      III. OBJECTIVE\nThe engagement objective was to assist the OIG in performing an independent evaluation of\nNCUA information security policies and procedures for compliance with FISMA and federal\nregulations and standards and to evaluate the following efforts:\n\n       \xe2\x80\xa2   Efficiency and effectiveness of the agency\xe2\x80\x99s information security program\n       \xe2\x80\xa2   Agency\xe2\x80\x99s progress in meeting responsibilities under FISMA\n       \xe2\x80\xa2   Agency\xe2\x80\x99s progress in remediation of prior audit weaknesses relating to FISMA and\n           other security weaknesses identified\n       \xe2\x80\xa2   Agency progress in implementing its plans of action and milestones (POA&M)\n\nAdditionally, the audit was required to provide sufficient supporting evidence of NCUA\xe2\x80\x99s security\nprogram evaluation to enable the OIG to report to OMB.\n\n\n                         IV. METHODOLOGY AND SCOPE\nOur evaluation compared NCUA\xe2\x80\x99s information security program and practices with FISMA and\nfederal criteria contained in the Government Accountability Office\xe2\x80\x99s Federal Information System\nControls Audit Manual (FISCAM), as well as other relevant guidance from NIST and OMB.\n\nWe conducted a review of information security control techniques for all of NCUA\xe2\x80\x99s major\ninformation systems on a rotational basis. During this evaluation, we completed assessment of\nNCUA controls over access controls, incident management and reporting, and additional areas\nrequired to report under OMB M-06-20. This included reviews of C&A documentation such as\nsystem security plans, risk assessments, contingency plans, and certification reports. In\naddition, we reviewed existing information security controls and identified weaknesses\nimpacting certain components affecting GSS security.\n\nWe did not conduct penetration testing during this evaluation. Our testing efforts, scheduled on\na rotational basis, will conduct penetration testing during a future evaluation.\n\nWe performed our engagement in accordance with generally accepted government auditing\nstandards (GAGAS), audit standards promulgated by American Institute of Certified Public\nAccountants (AICPA), and information systems standards issued by the Information Systems\nAudit & Control Association (ISACA).\n\n\n\n\n                              LIMITED OFFICIAL USE ONLY\n                                            4\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n                                 V. RESULTS IN DETAIL\nSecurity program planning and management controls are designed to provide the framework\nand continuing cycle of activity for managing risk, developing security policies, assigning\nresponsibilities, and monitoring the adequacy of an entity's computer-related controls. We\nidentified weaknesses that require management's attention, and they are discussed below.\n\n\n1.     NCUA should do more to enforce procedures requiring the use of cryptographic\n       security measures in protecting sensitive financial and Personally Identifiable\n       Information.\nCurrent security procedures should be improved to better enforce the use of cryptographic\nsecurity measures in securing sensitive financial and Personally Identifiable Information (PII)\nused by credit union examiners to conduct their audits. We noted several areas where\nimprovement is needed in enforcing the use of encryption for exam data below:\n\n       \xe2\x80\xa2   Laptop encryption: While all AIRES files contain information considered both\n           sensitive and PII related to financial disclosure, not all AIRES files are encrypted on\n           examiner laptops. In all of the examiner laptops examined, exam files, produced by\n           AIRES and containing sensitive personal and financial information, were stored\n           outside the encrypted directory and available in plaintext.\n\n       \xe2\x80\xa2   Encryption of Data at Rest: Examiners are issued external hard drives for use in\n           periodic (weekly) backups. We examined one external hard drive and found that it\n           did not utilize any encryption technology for most of the data at rest. The\n           pervasiveness of this practice was confirmed by the NCUA Information Security\n           Officer (ISO). Additionally, these drives are stored at the examiners home offices.\n\n       \xe2\x80\xa2   Deletion of sensitive files: The examiners interviewed noted they do not immediately\n           delete sensitive files that are for credit union examinations they have completed.\n           When examiners do delete files, they simply hit the \xe2\x80\x9cdelete\xe2\x80\x9d key. This means copies\n           of deleted files likely reside in the recycle bin and are not overwritten in order to\n           prevent restoration. In addition, we observed hundreds of old files that were\n           maintained on an examiner\xe2\x80\x99s drive that were not needed.\n\n       \xe2\x80\xa2   Multiple, non-encrypted media storage: Examiners use various media for backup and\n           sharing purposes in between weekly backups to their external drive. The examiners\n           confirmed the use of CDs and/or personal USB drives at a minimum. We observed\n           files containing sensitive and PII data on these media that were not encrypted. Due\n           to the size and portability of this type of media, NCUA is at great risk of losing or\n           misplacing this media with sensitive personal and financial data.\n\nBy not implementing procedures to ensure the selected process for encryption of sensitive data\nis utilized, regardless of the storage media, NCUA potentially increases the risk of inadvertent\ndisclosure of sensitive information which, in turn, increases the risk to NCUA data confidentiality\nand integrity, as well as potential identity theft of credit union members.\n\nThe Federal Information Security Management Act provides guidance related to these\nconditions:\n\n\n                               LIMITED OFFICIAL USE ONLY\n                                             5\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2006\n                                      Report #OIG-06-05\n\n       Provide information security protections commensurate with the risk and magnitude of\n       the harm resulting from unauthorized access, use, disclosure, disruption, modification, or\n       destruction of agency information. (Section 301, 3544, a1,A)\n\nRecommendation: We recommend that NCUA management enforce the encryption of all\nsensitive data on all laptops, portable devices, and storage media. Additionally, user training\nshould be enhanced to specifically address the need for securing and encrypting sensitive data\n(including that beyond Social Security Numbers).\n\nAgency Response: Agreed. As you know, we have made substantial progress and will\ncontinue to improve.\n\nWe have;\n  \xe2\x80\xa2 Encrypted sensitive data on most of the laptops, thumb drives and external hard drives,\n  \xe2\x80\xa2 Conducted training on this subject at the regional conferences.\n\nWe will;\n  \xe2\x80\xa2 Force encryption on the laptops and external hard drives that have not yet been done\n       manually,\n  \xe2\x80\xa2 Modify the rules of behavior to further bring awareness to this subject.\n\nOIG Response: The OIG concurs.\n\n\n2.     Privacy Impact Assessments (PIA) are needed for NCUA systems.\n\nThe NCUA has not completed a privacy impact assessment for its data or systems. While\ncertification and accreditation activities have been completed or are in process, a formal\nconsideration of privacy has not occurred. The NCUA has asserted that the requirement to\ncomplete a PIA does not apply to the agency and therefore has not been completed.\nCompletion of the PIA was noted as being required during the previous year\xe2\x80\x99s FISMA evaluation\nas part of C&A requirements. The NCUA increases the risk of sensitive information being\ninadvertently disclosed to unauthorized persons and the potential impact to personally\nidentifiable information is not assessed.\n\nThe E-Government Act guides agencies to:\n\n       To conduct a PIA before: developing or procuring IT systems or projects that collect,\n       maintain or disseminate information in identifiable form from or about members of the\n       public or initiating, consistent with the Paperwork Reduction Act, a new electronic\n       collection of information in identifiable form for 10 or more persons (excluding agencies,\n       instrumentalities or employees of the federal government). In general, PIAs are required\n       to be performed and updated as necessary where a system change creates new privacy\n       risk.\n\nRecommendation: We recommend that NCUA management complete a privacy impact\nassessment over its data.\n\n\n\n\n                              LIMITED OFFICIAL USE ONLY\n                                            6\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2006\n                                      Report #OIG-06-05\n\nAgency Response: While management believes a privacy review of all \xe2\x80\x9cdata\xe2\x80\x9d is a\ncommendable goal, management maintains its position that a PIA, as contemplated by the E-\nGovernment Act, is not required.\n\nManagement acknowledges that the agency is subject to the requirement to prepare PIAs as\nprovided in the E-Government Act. Management\xe2\x80\x99s view is that the requirement to prepare a\nPIA, required under the E-Government Act that became effective April 17, 2003, is triggered\nwhere an agency develops or procures an IT system or changes an existing system by adding\nnew uses or new technologies or significantly changes how information in identifiable form is\nmanaged in the system. Generally, a PIA is required where a system change creates new\nprivacy risks. See OMB Guidance for Implementing the Privacy Provisions of the E-\nGovernment Act of 2002 (M-03-22).\n\nNCUA last updated its Systems of Records notice effective in February 2000. See 65 Fed. Reg.\n3486 (Jan. 21, 2000). Management\xe2\x80\x99s position is that, with the exception of the new Personnel\nSecurity and Identity Management Systems required under the Homeland Security Presidential\nDirective-12 (HSPD-12), the agency has neither developed nor procured new IT systems nor\nmade a significant change to an existing system that created new privacy risks requiring\npreparation of a PIA. At this time, the agency is in the process of developing a PIA for these\nnew systems, updating its Systems of Records notice, and preparing related notices and\ninstructions for employees.\n\nManagement maintains its view that it is not required to prepare and publish a PIA conforming\nto the requirements of the E-Government Act for IT systems in existence before April 2003 and\nwhich have been maintained without significant change. It is our position that our ongoing\nmaintenance of these systems has not had an impact on the privacy risk of those systems.\nRoutine maintenance does not change the basic functions of the programs; it normally entails\nupdates to the user interface, revised edit formulas, etc., which have no bearing on the privacy\nrisk level. Nevertheless, management acknowledges that a review of existing IT systems to\nensure compliance with information privacy laws, regulation, and policy is an appropriate and\ncommendable agency aspiration and intends to undertake such review as agency resources\npermit.\n\nOIG Response: Per the requirements of section 208 of the E-Government Act of 2002, OMB\nissued guidance to agencies regarding the development of PIAs. The guidance provided by\nOMB applies to all executive branch departments and agencies. The Act requires agencies to\nconduct a PIA before developing or procuring IT systems that collect, maintain, or disseminate\ninformation in identifiable form from or about member of the public as well when the changes\noccur in information collection authorities, business processes or other factors affecting the\ncollection and handling of such information. Since the inception of the E-Gov Act, NCUA has\nimplemented several changes to business process and technical solutions that meet the above\ncriteria as changes requiring an update or development of a PIA, including the distribution of\nexternal hard drives to store credit union audit data that are stored at the examiners\xe2\x80\x99 homes, an\nagency-wide update in operating systems (from 2000 to XP), distribution of new laptops, and\npartial implementation of sensitive data encryption.\n\nIt is the opinion of the OIG that any one of the above changes constitutes a change of the\nmagnitude that requires the development of a PIA. Based on the identified changes to the\nmethods of collecting, processing, and storing personally identifiable information with the\nagency\xe2\x80\x99s IT infrastructure, NCUA should develop a PIA and maintain it on an ongoing basis.\n\n\n                              LIMITED OFFICIAL USE ONLY\n                                            7\n\x0c                INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                              INFORMATION SECURITY PROGRAM - 2006\n                                        Report #OIG-06-05\n\n\n3.      Certification and accreditation (C&A) activities have not been completed for all\n        NCUA systems.\n\nThe NCUA continues to conduct ongoing certification and accreditation activities for its systems.\nA standard protocol has been developed, incorporating NIST SP 800-53 control baselines, and\nused to conduct certification tests on all major NCUA systems. An outside vendor was\ncontracted during 2005 to assist the NCUA in certifying and accrediting the GSS and NAS\nsystems. As a result of this process, the GSS has been fully certified and accredited. The NAS,\nESS, CRS, and IIS systems are currently undergoing certification and accreditation activities\nand were not complete as of the end of our field work.\n\nIn addition to not completing the certification and accreditation of all NCUA systems, our\nevaluation of the overall C&A process identified the following weaknesses:\n\n\xe2\x80\xa2    While the GSS has been fully certified and accredited, its system security plan (SSP) needs\n     to be updated to reflect the current NCUA environment. The current NCUA documentation\n     does not reflect a consistent, accurate overview of the GSS technical environment as it\n     currently exists. Notable exceptions include:\n\n        \xe2\x80\xa2       Continued reference to ZoneAlarm\xe2\x84\xa2 personal firewalls, which have been\n                removed.\n        \xe2\x80\xa2       No accounting for minor applications as they relate to the overall risk of the GSS\n                infrastructure.\n        \xe2\x80\xa2       Technology such as Voice over Internet Protocol (VoIP) which requires additional\n                security considerations (see NIST 800-58) are not addressed.\n        \xe2\x80\xa2       The version of the GSS SSP provided does not reflect version control (i.e. record\n                changes) or dissemination instructions.\n\n        The lack of adequately documented security requirements in the GSS SSP may impact\n        NCUA\xe2\x80\x99s ability to continuously and comprehensively monitor overall risk and maintain\n        security configuration commensurate with that risk.\n\n\xe2\x80\xa2    The NCUA security documentation does not support consistent application of impact\n     assessment rankings in accordance with FIPS 199. Our evaluation noted instances of\n     systems having different FIPS 199 impact rankings between the risk assessment and\n     system security plan.\n\n     By not using a standardized approach to assessing FIPS 199 impact rankings, NCUA\n     potentially limits the ability to apply required security controls commensurate to systemic risk\n     to confidentiality, integrity, and availability.\n\n\xe2\x80\xa2    The NCUA has not fully documented Interconnection Security Agreements (ISA),\n     Memorandums of Understanding (MOU), or Memorandums of Agreement (MOA) for all of its\n     systems connections to outside agencies. While connections to the Federal Reserve and\n     GSA have been documented, connections to the Department of Treasury and to Pay.Gov\n     have not.\n\n     By not formally documenting system interconnections with other agencies/organizations,\n     NCUA increases the risk of connecting to a system that does not meet the security\n\n\n                                LIMITED OFFICIAL USE ONLY\n                                              8\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n     requirements of its own system. Thus increasing the risk to NCUA\xe2\x80\x99s data confidentiality,\n     integrity, and availability\n\nOMB Circular A-130, Appendix III, Security of Federal Automated Information Resources,\nprovides the following guidance related to these conditions:\n\n        Ensure that a management official authorizes in writing the use of each general\n        support system based on implementation of its security plan before beginning or\n        significantly changing processing in the system. Use of the system shall be re-\n        authorized at least every three years (Section A.3.a.4).\n\nFIPS 199 guides agencies in assigning security categorizations and requires:\n\n        Agencies to assign security categories that are based on the potential impact on\n        an organization should certain events occur which jeopardize the information and\n        information systems needed by the organization to accomplish its assigned\n        mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day\n        functions, and protect individuals (i.e. Privacy Act or PII).\n\nNIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems,\nprovides additional guidance relating to the development of system security plans:\n\n        An ISA, MOU, or MOA is needed between systems (not between\n        workstations/desktops or publicly accessed systems) that share data that are\n        owned or operated by different organizations. (Section 3.1.1)\n\n        Additionally, it guides that the Information System Owner must update the\n        system security plan whenever a significant change occurs. (Section 1.7.2)\n\nRecommendation: We recommend that NCUA management: complete its C&A activities for\nthe NAS, ESS, CRS and IIS systems; periodically review and update the SSPs as part of\nconfiguration and risk management; and ensure that security categorizations are completed in\naccordance with FIPS guidance. Additionally, we recommend that NCUA management formally\ndocument all of its system interconnections with outside agencies and/or organizations through\nthe use of the MOU, ISA, or MOA.\n\nAgency Response: Agreed. We are continuing to complete the certification processes and\nhave already completed the FIPS categorization.\n\nOIG Response: The OIG concurs.\n\n\n4.      Regular user account reconciliations are not conducted to ensure that only user\n        accounts with a business purpose exist.\n\nThe NCUA does not conduct regular user account reconciliations over its account population,\nwhich has resulted in an excessive number of system and temporary accounts on the system.\nAdditionally, after further discussion, we noted that NCUA has not implemented a temporary\naccount policy or procedure.\n\n\n\n                                LIMITED OFFICIAL USE ONLY\n                                              9\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\nThe NCUA, based on our discussions surrounding this matter, have recently completed a\nreconciliation that is to identify potentially unneeded system and temporary accounts and\naddress them. Additionally, a third-party product is being implemented to automate the user\naccount review process.\n\nAdditionally, as a result of not conducting formal user account reconciliations, we identified an\ninstance of a separated employee not being timely removed from NCUA systems.\nDocumentation illustrating the request for removal of a user account did not occur timely for one\nNCUA separated employee. The employee did not have an exit email documented. A follow up\nemail dated June 02, 2006 was sent to verify that he could be removed from the NCUA system.\nHe separated from NCUA on February 2, 2006. Also, the follow up email notes that his last\nlogon was March 8, 2006 which is after his separation date.\n\nBy not conducting regular user account reconciliations, NCUA increases the risk of having\noutdated accounts active on the system which may elevate the opportunity for an unauthorized\nperson to gain access to NCUA systems.\n\nNIST Special Publication 800-53 provides guidance for these conditions:\n\n        The organization must manage information system accounts, including establishing,\n        activating, modifying, reviewing, disabling, and removing accounts. The organization\n        must review information system accounts.\n\nOMB Circular A-130, Appendix III also guides that agencies establish controls to assure\nadequate security for all information processed, transmitted, or stored in Federal automated\ninformation systems.\n\nRecommendation: We recommend that NCUA management establish system and temporary\nuser account policy and procedures and implement a regular user account reconciliation\nprocess. Additionally, we recommend that NCUA consistently follow its employee enter, exit, or\nchange procedures and send a notice to all offices reminding them of this policy.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n5.      NCUA password and user account security configurations need improvement.\n\nDuring our evaluation we noted several instances of NCUA password and user account security\nconfigurations that need improvement. In general, NCUA network password settings apply only\nto network applications and resources, not to end-user laptops and desktops. Therefore, a user\ncould enter an unlimited number of invalid passwords, but would only be restricted from using\nnetwork applications like email if the password attempt threshold is exceeded. According to the\nNCUA ISO, this practice is in place because remote users would need to physically ship their\nlaptop to the Central Office facility to have their password reset in the event of a lockout.\nAdditionally, we noted other conditions relating to NCUA\xe2\x80\x99s password and user account security\nconfiguration below:\n\n\xe2\x80\xa2    NCUA password policy allows the same password to be used for too long a period of time\n     by not currently forcing users to change their passwords.\n                                LIMITED OFFICIAL USE ONLY\n                                                 10\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n\xe2\x80\xa2   After exceeding the allowed number of failed login attempts, users are only restricted from\n    accessing network resources, not from the laptops themselves.\n\xe2\x80\xa2   NCUA applications do not log users out following a limited period of inactivity and password\n    protected screensavers for Central Office personnel engage after too long a period of user\n    activity.\nAllowing users to maintain the same password indefinitely greatly increases the chance of the\nuser\xe2\x80\x99s password being discovered. Also, by allowing an infinite number of invalid login\nattempts, an unauthorized individual with access to a laptop could attempt as many passwords\nas necessary until they guessed the correct password. Additionally, by tolerating extended\nperiods of inactivity, NCUA potentially increases the risk of unauthorized access to sensitive\nresources.\n\nNIST SP 800-53 provides guidance to agencies on these conditions. It guides that:\n\n       For password-based authentication, the information system enforces password minimum\n       and maximum lifetime restrictions. (Section IA-5)\n\n       The information system prevent further access to the system by initiating a session lock\n       that remains in effect until the user reestablishes access using appropriate identification\n       and authentication procedures. The information system also activates session lock\n       mechanisms automatically after a specified period of inactivity defined by the\n       organization. (Section AC-11)\n\n       The information system enforces a limited number of consecutive invalid access\n       attempts by a user during an organization-defined time period. The information system\n       should automatically lock the account or delay next login prompt when the maximum\n       number of unsuccessful attempts is exceeded. (Section AC-7)\n\nRecommendation: We recommend that NCUA management:\n\n       \xe2\x80\xa2   Require users to change their password every 90 days.\n       \xe2\x80\xa2   Fully lock user accounts, including laptops and desktops, after the maximum number\n           of failed login attempts has been made.\n       \xe2\x80\xa2   Password protect network applications and computers after 30 minutes of inactivity.\n\nAgency Response:\n\n\xe2\x80\xa2   Agree with the first bullet.\n\xe2\x80\xa2   We evaluated this and concluded that it is not in the best interest of the agency due to the\n    remote nature of most of our users.\n\xe2\x80\xa2   OMB M-06-16 states that all mobile computers must be set to lock-out after 30 minutes. We\n    have determined that this is an appropriate practice. The time-out is now set to 30 minutes\n    for all laptops.\n\nOIG Response: The OIG concurs with the agency\xe2\x80\x99s response referring to the lock-out and has\nchanged the recommendation to 30 minutes. However, the choice not to limit failed user\nattempts should be documented and compensating controls identified.\n\n\n\n\n                              LIMITED OFFICIAL USE ONLY\n                                           11\n\x0c                INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                              INFORMATION SECURITY PROGRAM - 2006\n                                        Report #OIG-06-05\n\n\n6.       The NCUA personnel security awareness program has not been fully\n         implemented.\n\nThe NCUA personnel security awareness training program has not been fully implemented. To\naccomplish security awareness training, the NCUA relies on the Rules of Behavior document\nthat describes NCUA\xe2\x80\x99s information security policies and requires that NCUA employees\nacknowledge their understanding of them. However, not all NCUA employees and contractors\nhave signed the NCUA Rules of Behavior document noting their understanding and agreement\nto the NCUA security policies. In addition, SSAs have not been provided with NCUA Rules of\nBehavior or similar agreement. Additionally, not all NCUA personnel with significant security\nresponsibilities have received additional security training.\n\nThe NCUA security awareness program is in the process of being completed. As of the time of\nthis finding, not all NCUA employees have signed the NCUA Rules of Behavior document noting\ntheir understanding and agreement to the NCUA security policies. By not having all employees\ncomplete security awareness training, NCUA increases the risk of employees conducting their\nduties in a manner that is not in compliance with NCUA policy and may increase the risk to\nNCUA data confidentiality, integrity, and availability.\n\nNCUA Agency Wide Information Security Policy, section 3.1.3 requires:\n\n         Training oversight has two parts, general awareness training and specific training for\n         people with significant security responsibilities. The CIO will review the reports specified\n         in section 3.2.3 to ensure adequate training is planned for NCUA.\n\nNIST SP 800-53 guides that:\n\n         The organization ensures system managers, system administrators, and other personnel\n         having access to system-level software have adequate technical training to perform their\n         assigned duties. (Section AT-3)\n\nRecommendation: We recommend that NCUA management complete their process of fully\nimplementing their security awareness training program and ensure that all employees,\ncontractors, and SSAs who have access to NCUA data sign the NCUA Rules of Behavior\ndocument and that employees with significant security responsibilities receive the appropriate\namount of training.\n\nAgency Response: Agreed. We need to re-write the rules of behavior in light of the new\nguidance and so will start the process over again.\n\nOIG Response: The OIG concurs.\n\n\n7.       Security planning documentation is inconsistent in version control,\n         revisions/updates, and dissemination to required officials.\n\nDuring our review we encountered several instances of multiple versions of the same security\nplanning documents. Some notable discrepancies identified included:\n\n     \xe2\x80\xa2   Different versions of security documents (e.g. Tech BCP, CRS SSP);\n                                LIMITED OFFICIAL USE ONLY\n                                             12\n\x0c                INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                              INFORMATION SECURITY PROGRAM - 2006\n                                        Report #OIG-06-05\n\n     \xe2\x80\xa2   No noted change records or version control;\n     \xe2\x80\xa2   Documents not always updated periodically;\n     \xe2\x80\xa2   Disaster Recovery planning and testing not formally documented; and\n     \xe2\x80\xa2   ISO position lacks succession planning and points of contact.\n\nAdditionally, we noted that while the NCUA network diagrams document the critical access\npaths to the NCUA network infrastructure, there are some external connections that are not\nspecifically identified. For example, the NCUA network security engineer\xe2\x80\x99s remote connection\nto the network.\n\nThe NCUA IT security program is adversely affected by lacking documentation that is formally\nupdated and promulgated to affected officials. In addition, OCIO staffing does not support\nimmediate administrative succession of key personnel to coordinate administrative and\noperational functions.\n\nThe Federal Information Security Management Act provides guidance related to these\nconditions:\n\n         Each agency shall develop, document, and implement and agency-wide information\n         security program that supports the operations and assets of the agency\xe2\x80\xa6policies and\n         procedures should be based on risk assessments and be cost effective. (Section 301,\n         3544, a3,D)\n\nAdditionally, NIST Special Publication (SP) 800-53 and SP 800-30 provide guidance related to\nthese conditions:\n\n         SP 800-53 guides that agencies must plan, develop, and disseminate all plans policies\n         and procedures to facilitate security planning and planning controls.\n\n         SP 800-30 guides that, when developing information risk assessments, the network\n         topology should be considered. (Section 3.1.1)\n\nRecommendation: We recommend that NCUA management improve its security document\nmanagement process and formally establish organization staffing, to include contributions and\nresponsibilities of program officials. Additionally, we recommend that NCUA management\ninclude specific remote connection information in the existing network diagram, including the\nNCUA network security engineer\xe2\x80\x99s remote connection.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n8.       E-Authentication risk assessments have not been completed for NCUA systems.\n\nNCUA has not completed E-Authentication risk assessments for its systems. While a formal\nrisk assessment has been completed for four out of six NCUA systems, E-Authentication risk\nconsiderations were not specifically addressed. The NCUA has asserted that the requirement\n\n\n                               LIMITED OFFICIAL USE ONLY\n                                            13\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2006\n                                      Report #OIG-06-05\n\nto complete an E-Authentication risk assessment does not apply to the agency and therefore\nhas not been completed.\n\nBy not completing an E-Authentication risk assessment, the NCUA increases the risk of not\ncomplying with OMB policy, and may not fully capture risks associated with their e-Government\nactivities.\n\nOMB, M-04-04, E-Authentication Guidance for Federal Agencies, Section 11, requires that:\n\n       Agencies review new and existing electronic transactions to ensure that authentication\n       processes provide the appropriate level of assurance. Additionally, section 1.2 notes, it\n       applies to the remote authentication of human users of Federal agency IT systems for\n       the purposes of conducting government business electronically (or e-government).\n\nRecommendation: We recommend that NCUA management complete the E-Authentication\nrisk assessment process in accordance with OMB Memorandum 04-04, E-Authentication\nGuidance for Federal agencies.\n\nAgency Response: It has never been our position that NCUA is exempt from the E-\nAuthentication risk assessment requirements. Rather, our position is that these requirements\napply to E-Commerce conducted by government agencies, as indicated in the excerpt from\nOMB Memorandum M-04-04 that you cited above. Our interpretation was confirmed verbally by\nthe cognizant OMB desk officer in a conversation with the NCUA Information Security Officer\nand then confirmed in writing. Since NCUA does not engage in E-commerce, we have not\ntriggered the requirement to conduct an E-authentication risk assessment.\n\nNonetheless, we have agreed to review the risk assessment template offered by the OIG in\norder to determine whether we have the need or resources to perform these risk assessments\nas a matter of good faith.\n\nOIG Response: The OIG acknowledges the agency's position on E-Authentication risk\nassessments. However, we still recommend that the agency conduct e-authentication risk\nassessments as required by OMB M-04-04.\n\n\n9.     Security configuration guides are not utilized for NCUA systems.\n\nThe NCUA has not established formal security configuration guides for its systems. Security\nconfiguration guides establish a security baseline on which to configure systems to ensure a\nconsistent application of security controls. The NCUA has established limited configuration\nguides for its operating systems. However, guides for firewalls, domain servers, and routers do\nnot formally exist.\n\nBy not establishing and implementing a formal security configuration guide, the NCUA increases\nthe risk of not consistently applying security standards across agency information technology\nresources.\n\nFISMA requires agencies to create secure baseline configurations. Section \xc2\xa7 3544 concerning\nfederal agency responsibilities states:\n\n\n\n                              LIMITED OFFICIAL USE ONLY\n                                           14\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n       (b) AGENCY PROGRAM.\xe2\x80\x94Each agency shall develop, document, and\n       implement an agency wide information security program, approved by the\n       Director under section 3543(a)(5), to provide information security for the\n       information and information systems that support the operations and assets of\n       the agency, including those provided or managed by another agency, contractor,\n       or other source, that includes\xe2\x80\x94 \xe2\x80\xa6\n              (2) policies and procedures that\xe2\x80\x94\n                      (D) ensure compliance with\xe2\x80\x94\n                               (i) the requirements of this subchapter;\n                               (ii) policies and procedures as may be prescribed by the\n                               Director, and information security standards promulgated\n                               under section 11331 of title 40;\n                               (iii) minimally acceptable system configuration\n                               requirements, as determined by the agency;\n\n\nRecommendation: We recommend that NCUA management establish and implement an\nagency-wide security configuration policy.\n\nAgency Response: We may be working from two different interpretations of what constitutes a\nsecurity configuration baseline. Our interpretation defines Windows 2003 out of the box as a\nconfiguration baseline along with subsequent changes which are documented in the server build\ndocument. We also used this approach with our routers.\n\nOIG Response: FISMA (section 3544(b)(2)(D)(iii)) requires each agency to develop minimally\nacceptable system configuration requirements and ensure compliance with them. Systems with\nsecure configurations have fewer vulnerabilities and are better able to thwart network attacks.\n\xe2\x80\x9cOut-of-the-box\xe2\x80\x9d settings often lack necessary changes and restrictive settings to minimize\nvulnerabilities.\n\nUnder the Cyber Security Research and Development Act of 2002, NIST created the Security\nConfiguration Checklist Program, designed to \xe2\x80\x9cdevelop, and revise as necessary, a checklist\nsetting forth settings and option selections that minimize the security risks associated with each\ncomputer hardware or software system that is, or is likely to become widely used within the\nFederal Government.\xe2\x80\x9d Under this program, described in NIST SP 800-70, agencies are to use\nchecklists to establish a minimum security configuration for its systems and major applications,\nwhich are based on current practices in other Agencies, vendors, consortia and academia.\n\n\n10.    The NCUA Continuity of Operations Plan (COOP) and IT Disaster Recovery\n       procedures are not consistently updated.\n\nThe NCUA COOP has not been updated since 2004 and documentation noting an update\nschedule for the NCUA COOP was not available. According to NCUA proposed updates are\nbeing reviewed by the Regional Offices and Central Office for accuracy. The updates were to\nbe completed in approximately 30 days and the core COOP will be revised in 90-120 days.\nAdditionally, no documentation has been provided to demonstrate testing of disaster recovery\nplans during the current year.\n\nThe NCUA Technical Business Continuity Plan does not reflect having been consistently\nupdated on an annual basis. In addition, the plan does not appear to have adequate version\n\n                               LIMITED OFFICIAL USE ONLY\n                                            15\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2006\n                                      Report #OIG-06-05\n\ncontrol for purposes of review and update. The initial version provided was dated 4/21/2005.\nHowever on 6/21/2006, we were provided with a version with recent changes that was dated\n7/12/2002.\n\nAdditionally, we noted that both AMAC Disaster Recovery Plan documents, (AMAC) Asset\nManagement & Assistance Center: Computer Systems Disaster Recovery Plan and Disaster\nRecovery Plan: Asset Management and Assistance Center have not been updated since June\nof 2003.\n\nBy not updating the COOP documents, NCUA increases the risk of not being able to recover\ntimely from a service disruption and of not providing pertinent employees with accurate plans,\nprocedures and technical measures to enable the recovery of systems, operations, and data\nafter a disruption.\n\nNIST SP 800-34, Contingency Planning Guide for Information Technology Systems, requires all\nagencies to create, update, and test a contingency plan for major systems:\n\n       Develop an IT contingency plan. The plan should contain detailed guidance and\n       procedures for restoring a damaged system.\n\n       To be successful, senior management, most likely the Chief Information Officer\n       (CIO) must support a contingency program. These officials should be included in\n       the process to develop the program policy, structure, objectives, and roles and\n       responsibilities. At a minimum, the contingency policy should comply with federal\n       guidance contained in the documents listed in Section 1.1; agencies should\n       evaluate their respective IT systems, operations, and requirements to determine\n       if additional contingency planning requirements are necessary. Key policy\n       elements are as follows:\n       \xe2\x80\xa2        Roles and responsibilities\n       \xe2\x80\xa2        Scope as applies to the type(s) of platform(s) and organization functions\n                subject to contingency planning\n       \xe2\x80\xa2        Resource requirements\n       \xe2\x80\xa2        Training requirements\n       \xe2\x80\xa2        Exercise and testing schedules\n       \xe2\x80\xa2        Plan maintenance schedule\n       \xe2\x80\xa2        Frequency of backups and storage of backup media\n\n       It is essential that the contingency plan be reviewed and updated regularly, as\n       part of the organization change management process, to ensure new information\n       is documented and contingency measures are revised if required.\n\nRecommendation: We recommend that NCUA management update the NCUA COOP plan,\nthe Technical Business Continuity plan, and the AMAC Disaster Recovery Plan by completing\ntheir process conducting annual reviews and revisions.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n\n\n                              LIMITED OFFICIAL USE ONLY\n                                           16\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n\n11.    Testing of NCUA Disaster Recovery and system contingency plans does not occur\n       regularly.\n\nTesting of NCUA Disaster Recovery/System Contingency plans does not occur on a routine\nbasis (at least annually) and lack specific policies for conducting periodic testing. Review of the\nNCUA security program for FY2006 FISMA reporting indicates only one of six systems in the\nNCUA system inventory have tested contingency plan(s) in the last year. Additionally, the\nTechnical Business Continuity Plan does not reflect updates (at least annually) of test results\nand plan changes.\n\nBy not periodically testing and updating IT System Disaster Recovery (DR) and Contingency\nplans with lessons learned from the testing potentially impacts the effectiveness of these plans\nwhen required for real-world occurrences, and may impact system restoration priorities based\non criticality.\n\nNIST 800-53, section CP-4, guides that the information system DR and Contingency plans must\nbe updated frequently, at least annually, and that contingency plan testing is coordinated with\nother related plans, such as COOP, Incident Response, etc)\n\nRecommendation: We recommend that NCUA management develop policies and procedures\nto test and update DR and Contingency plans at least annually, or more frequently if required.\n\nAgency Response: Mostly agree. We believe that the AMAC system failure and subsequent\nrecovery is a valid test of the DR plan.\n\nOIG Response: The OIG disagrees that the AMAC system failure constitutes a test of the\ndisaster recovery plan. NCUA should test all of its disaster recovery and contingency plans on\nan annual basis.\n\n\n12.    Restoration priorities related to system impact ratings have not been documented.\n\nNCUA has not documented restoration priorities related to impact ranking to insure systems\nmost critical to NCUA operations are restored according to mission criticality. It is not clear that\nthe current NCUA documentation reflects overall restoration priorities based on system criticality\nsince impact rankings and system categorization for availability were based on impact to the\nFederal Government vice impact to NCUA operation.\n\nThe inconsistent application of FIPS 199 categorization may impact how NCUA reconstitutes IT\noperations in support of NCUA business requirements.\n\nRecommendation: We recommend that NCUA management complete the Business Impact\nAnalysis required and ensure that the priority for restoration of IT systems is consistent with the\nimpact rankings as related to NCUA\xe2\x80\x99s mission.\n\nAgency Response: Agreed. We have now implemented consistent FIPS 199 categorization,\nbut this doesn\xe2\x80\x99t address NCUA\xe2\x80\x99s restoration priorities.\n\nOIG Response:      The OIG concurs.\n\n\n                               LIMITED OFFICIAL USE ONLY\n                                            17\n\x0c                INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                              INFORMATION SECURITY PROGRAM - 2006\n                                        Report #OIG-06-05\n\n\n13.      NCUA physical security measures are not consistently enforced.\n\nDuring our evaluation we noted that some physical security measures are not consistently\nimplemented in the NCUA Central Office:\n\xe2\x80\xa2     We requested a copy of a recent physical security risk assessment conducted over NCUA\n      facilities; however, we were informed one had not been completed.\n\xe2\x80\xa2     NCUA procedures do not adequately address the controlled reentry of personnel following\n      an emergency evacuation. The NCUA Facility Self-Protection Plan For 1775 Duke Street\n      describes the reentry procedures following an emergency evacuation; however, these\n      procedures do not specifically account for identity checks in a situation where normal access\n      controls (like locked doors and security guards) are unlikely to be in place.\nThe lack of a facility risk assessment limits the organizational knowledge of risk and the ability of\nNCUA to disseminate risk knowledge throughout the organization. By not implementing\nprocedures for identity checking all individuals reentering the Central Office following an\nemergency evacuation, NCUA increases the risk of \xe2\x80\x9cpiggybacking\xe2\x80\x9d of non NCUA personnel in a\nmass reentry. This may allow unauthorized access to sensitive NCUA data and facilities.\nThrough inconsistent application of physical access controls, the NCUA increases the risk of\nunauthorized individuals gaining access to sensitive areas of the Central Office. This may\nincrease the risk to NCUA data confidentiality, integrity, and availability.\n\nNIST SP 800-30 and 800-53 provide guidance to agencies for these conditions.\n\n         SP 800-30 guides that when developing information risk assessments, the physical\n         security environment of IT systems (e.g., facility security) should be considered. (Section\n         3.1.1)\n\n         SP800-53 guides that the organization controls all physical access points (including\n         designated entry/exit points) to facilities containing information systems (except for those\n         areas within the facilities officially designated as publicly accessible) and verifies\n         individual access authorizations before granting access to the facilities. (Section PE-3)\n\nRecommendation: We recommend that NCUA management develop a risk assessment\ncovering the Central Office facility and consistently enforce existing physical security policies.\nAdditionally, we recommend that NCUA management update the Facility Self-Protection Plan\nwith the inclusion of procedures that ensure the prevention of unauthorized personnel during\nreentry following an emergency evacuation.\n\nAgency Response: Agreed. We will include this item in our POA&M and forward it to DPFM\nfor their action.\n\nOIG Response: The OIG concurs.\n\n\n14.      Periodic incident response training has not been conducted for NCUA personnel.\n\nThe NCUA does not conduct regular incident response training for its personnel. Additionally,\nthe incident response plan does not articulate, or provide guidance for training of personnel in\ntheir respective roles and responsibilities. Training helps ensure that incident response team\n\n                                LIMITED OFFICIAL USE ONLY\n                                             18\n\x0c                INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                              INFORMATION SECURITY PROGRAM - 2006\n                                        Report #OIG-06-05\n\nmembers are familiar with NCUA incident reporting practices and can increase the efficiency of\na response.\n\nThe NCUA utilizes a Rules of Behavior document to disseminate security policies to employees\nand to document their understanding. However, the current Rules of Behavior document does\nnot specifically give guidance to employees in reporting security incidents. The NCUA Rules of\nBehavior does not communicate what personnel should report to the Technical Support Desk in\nthe event that a serious incident does occur. Additionally, \xe2\x80\x9csecurity incidents\xe2\x80\x9d are not defined in\nuser training and reflected in the user rules of behavior.\n\nBy not providing incident response training, NCUA increases the risk of employees not\nunderstanding or adhering to the policies and procedures that NCUA has put in place for\nincident response handling. Additionally, it increases the risk of incident response team\nmembers not being fully trained and capable of performing their additional duties.\n\nRecommendation: We recommend that NCUA management define \xe2\x80\x9cincidents\xe2\x80\x9d as part of user\ntraining and insure roles and responsibilities are articulated and to review the Rules of Behavior\ndisclosure to assure that clear procedures are articulated to personnel regarding what to report\nin the event that an incident occurs.\n\nAdditionally, we recommend that the NCUA provide additional training to its incident response\nteam members over current best practices and federal guidance.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n15.      NCUA\xe2\x80\x99s Plan of Actions and Milestones (POA&M) process needs improvement.\n\nNCUA program officials do not actively support the process of tracking and updating the Plan of\nActions and Milestones (POA&M) for their respective systems. Based on review of\ndocumentation and interviews with the NCUA ISO, the POA&M process is largely driven by\nupdates from the ISO, instead of the ISO receiving periodic updates from program officials\nresponsible for remediation requirements. Program officials are not actively identifying\nvulnerabilities or weaknesses and incorporating them into existing POA&Ms.\n\nAdditionally, while certain risks to the ESS system were known by the NCUA ISO, they were not\nformally incorporated into the POA&M. The risks not included follow:\n\n\xe2\x80\xa2     The CIO and ISO have been aware of weaknesses in backups to external drive (lack of\n      encryption of sensitive data)\n\xe2\x80\xa2     Risk Assessment and POA&M does not reflect use and risk of all external storage media in\n      use that contains sensitive data in an unencrypted format. (i.e. CD drives are addressed but\n      not USB drives)\nDuring our inspection of the NCUA POA&M and related documentation, we noted that not all\nAMAC findings identified from the AMAC certification conducted by the ISO are captured in the\nNCUA POA&M document such as:\n\n\n\n                                LIMITED OFFICIAL USE ONLY\n                                             19\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-05\n\n\xe2\x80\xa2   AMAC personnel accepting credit card or ACH information over the phone for payments\n    from credit union customers could lead to fraud;\n\xe2\x80\xa2   Aftech no longer has modem access to the AMAC system; and\n\xe2\x80\xa2   The computer room does not have a raised floor;\n\nThe NCUA ISO faces the additional burden of tracking agency efforts to remediate risk and\nvulnerabilities by having to actively pursue status updates for program officials for their\nrespective action items. Additionally, by not including critical risks identified for the ESS and\nAMAC systems, NCUA management may not have a full picture of risks to that system on which\nto base their certification and accreditation decision.\n\nNIST SP 800-37 states that the authorizing official or designated representative should work\nwith the information system owner to revise the POA&M to ensure that proactive measures are\ntaken to correct security deficiencies in the information system. The POA&M, which is prepared\nby the information system owner, describes measures that have been implemented or planned\nto correct deficiencies noted during the assessment of the security controls and reduce or\neliminate known vulnerabilities in the information system.\n\nNIST SP 800-37 also states that the POA&M submitted by the information system owner is\nused by the authorizing official to monitor progress in correcting deficiencies noted during the\nsecurity certification. In addition to executing the POA&M, information system owners should\nalso establish a disciplined and structured process to monitor the effectiveness of security\ncontrols in the information system during the period of limited authorization to operate.\n\nRecommendation: We recommend that NCUA management implement and enforce policy\nthat better supports the NCUA ISO in receiving and tracking updates to the POA&M as\nwarranted. In addition, the ISO needs to ensure all identified weaknesses are incorporated into\nthe POA&M.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n\n\n                               LIMITED OFFICIAL USE ONLY\n                                            20\n\x0c"